Design and validation of a platform for electromagnetic fault injection

Security is acknowledged as one of the main challenges in the design and deployment of embedded circuits. Devices need to operate on-the-field safely and correctly, even when at physical reach of potential adversaries. One of the most powerful techniques to compromise the correct functioning of a device are fault injection attacks. They enable an active adversary to trigger errors on a circuit in order to bypass security features or to gain knowledge of security-sensitive information. There are several methods to induce such errors. In this work we focus on the injection of faults through the electromagnetic (EM) channel. In particular, we document our efforts towards building a suitable platform for EM pulse injection. We design a pulse injection circuit that can provide currents over 20 A to an EM injector in order to generate abrupt variations of the EM field on the vicinity of a circuit. We validate the suitability of our platform by applying a well-know attack on an embedded 8-bit microcontroller implementing the AES block cipher. In particular, we show how to extract the AES secret cryptographic keys stored in the device by careful injection of faults during the encryption operations and simple analysis of the erroneous outputs.Peer ReviewedPostprint (published version

EM Injection: Fault Model and Locality

International audienceEM injection recently emerged as an effective medium for fault injection. This paper presents an analysis of the IC susceptibility to EM pulses. It highlights that faults produced by EM pulse injection are not timing faults but correspond to a different model which is presented in this paper. This model also allows to explain experimental results introduced in former communications

SNIFF: Reverse Engineering of Neural Networks with Fault Attacks

Neural networks have been shown to be vulnerable against fault injection attacks. These attacks change the physical behavior of the device during the computation, resulting in a change of value that is currently being computed. They can be realized by various fault injection techniques, ranging from clock/voltage glitching to application of lasers to rowhammer. In this paper we explore the possibility to reverse engineer neural networks with the usage of fault attacks. SNIFF stands for sign bit flip fault, which enables the reverse engineering by changing the sign of intermediate values. We develop the first exact extraction method on deep-layer feature extractor networks that provably allows the recovery of the model parameters. Our experiments with Keras library show that the precision error for the parameter recovery for the tested networks is less than $10^{-13}$ with the usage of 64-bit floats, which improves the current state of the art by 6 orders of magnitude. Additionally, we discuss the protection techniques against fault injection attacks that can be applied to enhance the fault resistance

Revisiting Fault Adversary Models - Hardware Faults in Theory and Practice

Physical attacks are serious threats to hardware implementations of any strong cryptographic primitive. Particularly, fault injection attack is considered as a powerful technique to successfully attack embedded cryptographic implementations since various fault injection mechanisms from simple clock glitches to more advanced techniques like laser fault injection can lead to devastating attacks, even with just a single successfully injected fault. Given these critical attack vectors, researchers in academia and industry came up with a long list of dedicated countermeasures to thwart such attacks. However, the validation of proposed countermeasures is mostly performed on custom adversary models that are often not tightly coupled with the actual physical behavior of available fault injection mechanisms and techniques and, hence, fail to model the reality accurately. Furthermore, using custom models complicates comparison between different designs and evaluation results. As a consequence, we aim to close this gap by proposing a simple, generic, and consolidated fault injection adversary model in this work that can be perfectly tailored to existing fault injection mechanisms and their physical behavior in hardware. To demonstrate the advantages of our adversary model, we apply it to a cryptographic primitive (i.e., an ASCON S-box) and evaluate it based on different attack vectors. We further show that our proposed adversary model can be used and integrated into the state-of-the-art fault verification tool VerFI. Finally, we provide a discussion on the benefits and differences of our approach compared to already existing evaluation methods and briefly discuss limitations of current available verification tools

Electromagnetic signal injection attacks on embedded systems: modeling and detection

Embedded systems are ubiquitous in our lives, from smart locks in home automation to robotic arms in industrial equipment, playing key roles in many safety- and security-critical applications. An embedded system can interact with the external world through three interfaces: it uses sensors to sense environmental changes, controls actuators to cause physical impacts, and exchanges information with others through transmission lines. In recent years, studies have demonstrated using electromagnetic interference (EMI) to wirelessly manipulate signals in these interfaces. Such manipulation can maliciously control the embedded systems, threatening users' privacy and safety, for example, unlocking a smart lock or raising the temperature of infant incubators. Detecting such attacks is becoming increasingly essential, but proposed detection methods in the literature are designed for specific applications. Thus, this thesis proposes two novel detection methods that can protect various systems regardless of their types, filling the gap of generalized detection methods. The first detection method is for the sensors, and its core idea is to modulate the sensor power in a secret pattern unknown to the attacker. To bypass the detection, the attacker must guess the secret correctly; however, this detection method provides a strong security guarantee, where the probability of a correct guess is negligible. The second detection method is designed for the actuators, and its detection principle is to compare a signal to be protected with a reference, between which the difference can indicate whether an attack occurs. This method can guarantee that any attack effectively impacting a victim system will be detected. This thesis will demonstrate that these detection methods do not only provide strong security guarantees but are also lightweight and flexible to be integrated with different systems. In addition to these detection methods, this thesis presents a pioneering study about how to corrupt the signal integrity of differential signaling. Since many popular protocols such as USB, Ethernet, HDMI, and CAN derive their electromagnetic noise immunity from differential signaling, many people believe it can make communications immune to external interference, whereas the study challenges this assumption and shows a state-of-the-art attack that allows an attacker to use fine-tuned EMI to inject arbitrary messages into differential signaling

Secure Physical Design

An integrated circuit is subject to a number of attacks including information leakage, side-channel attacks, fault-injection, malicious change, reverse engineering, and piracy. Majority of these attacks take advantage of physical placement and routing of cells and interconnects. Several measures have already been proposed to deal with security issues of the high level functional design and logic synthesis. However, to ensure end-to-end trustworthy IC design flow, it is necessary to have security sign-off during physical design flow. This paper presents a secure physical design roadmap to enable end-to-end trustworthy IC design flow. The paper also discusses utilization of AI/ML to establish security at the layout level. Major research challenges in obtaining a secure physical design are also discussed

Evidence of a larger EM-induced fault model

International audienceElectromagnetic waves have been recently pointed out as a medium for fault injection within circuits featuring cryptographic mod- ules. Indeed, it has been experimentally demonstrated by A. Dehbaoui et al. (Injection of transient faults using electromagnetic pulses - practical results on a cryptographic system, IACR Cryptology ePrint Archive 2012) that an electromagnetic pulse, produced with a high voltage pulse generator and a probe similar to that used to perform EM analyses, was susceptible to create faults exploitable from a cryptanalysis viewpoint. An analysis of the induced faults (Dehbaoui et al., Electro-magnetic transient faults injection on a hardware and a software implementations of aes. In FDTC, 2012) revealed that they originated from timing constraint violations. This paper experimentally demonstrates that EM injection, performed with enhanced probes is very local and can produce not only timing faults but also bit-set and bit-reset faults. This result clearly extends the range of the threats associated with EM fault injection